Hybrid cloud infrastructures run critical business resources and are subject to some of the strictest network security controls. Irrespective of the industry and resource types, these controls broadly fall into three categories.
Workloads (pods) running on Kubernetes are ephemeral in nature, and IP-based controls are no longer effective. The challenge is to enforce the organizational security controls on the workloads and Kubernetes nodes themselves. Customers need the following capabilities:
Existing security tools are designed for hosts and do not understand Kubernetes and pods. With Calico Enterprise, you can apply our enterprise security controls to both Kubernetes nodes and pods. Another aspect to consider is monitoring and visibility. Traditional tools are built for IP-based connectivity monitoring. With Kubernetes, you need visibility into the pod, namespace, policy, and labels for a connection. Without Kubernetes-aware logs, there is no visibility into network connectivity. Without visibility, troubleshooting and compliance monitoring becomes really difficult.
Kubernetes nodes and workloads must be labeled appropriately, and the app on-boarding workflow must ensure that the labels (required for security controls) are applied to the workloads. Even if the resources auto-scale up or down and are ephemeral, the label ensures a consistent selector for the workload. Then the security controls are applied in a declarative manner. A policy example is shown in the diagram on the right. Irrespective of whether the labels DEV and PROD apply to pods or nodes, Calico Enterprise will enforce the policy.
As you grow to hundreds of policies and have different teams accessing the cluster, you will need to plan for role separation. A very common practice is to separate Security, Ops and Dev teams. You may wish to implement the policy model so that each team has access to only its policies. Calico Enterprise provides policy tiers for this purpose. Tiers are Kubernetes resources that can be controlled using role-based access control (RBAC). The diagram, below, illustrates the tiering model.
Note that some customers prefer to have a platform tier in the left-most column, to give highest preference to basic cluster functioning. It all comes down to the security blueprint of your organization.
Calico Enterprise provides you with comprehensive data on endpoints, policies and logs. Auditors need reports and actionable information, which is typically delivered in the form of logs and reports. You can define the scope of the report or an alert as a Kubernetes resource in Calico Enterprise. Access to reports can be controlled by role (e.g., for individual teams) and are available for download from the UI.
It’s important to adapt your existing security controls to Kubernetes. Here are some recommended approaches:
Policy tiers: https://docs.tigera.io/security/tiered-policy#the-default-tier-always-last
Protect Kubernetes nodes: https://docs.tigera.io/security/protect-hosts#how-to
Flow and audit logs: https://docs.tigera.io/security/logs/
Compliance reports: https://docs.tigera.io/security/compliance-reports/
Get updates on blog posts, new releases and more!